- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 4 Jun 2014 09:55:00 +0200
- To: Mike West <mkwst@google.com>
- Cc: Brad Hill <hillbrad@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
On Wed, Jun 4, 2014 at 9:42 AM, Mike West <mkwst@google.com> wrote: > Well, there's already a lot of magic hidden away in > http://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch. All of > the TLS-handshake, for instance. I don't know what level you'd like Fetch to > dive down to. I'm assuming that is defined by the TLS/HTTP specifications. Roughly what Fetch is doing is defining the missing parts between APIs and getting a resource out of a URL. > Frame ancestors seems like something we could reasonably include in Fetch > (perhaps by pointing to a new hook in CSP, and passing in the request and > response). I'm not really sure where to stop, however. At some point we > reach the transport layer, which doesn't seem like what Fetch should be > concerned with. I guess there's a stopping point somewhere between those > two. I don't see how it's lower than Fetch by the way. You need to process all headers before you know if you're going to follow a redirect. So it seems like you would know this around step 10 of http://fetch.spec.whatwg.org/#concept-fetch I was just thinking that since you need to know something about the element and its ancestors, a hook in HTML might be more appropriate. -- http://annevankesteren.nl/
Received on Wednesday, 4 June 2014 07:55:28 UTC